Show more details on secure connections #6157
Comments
|
I'm the one who had filed the support request, as it wasn't obvious that there was a Github issue tracker for public discussion of things like this. :) Note that this is orthogonal to #1248 and #2611. I really like the idea of a simplified security check from clicking the lock. It's just currently, well, too simple. 😆 I can envision something like:
The last line would be for OV/EV certs (with the text in green for EV, probably, to meet user expectations). I personally don't see value in displaying the CN of a DV cert because that starts leading into problems with SANs and such; if there's a domain mismatch, it won't be a valid cert... No reason to overwhelm the average user with redundant information which can only add uncertainty. ("So example.com has a certificate for example.com... Does that mean newmailprovider.org might not have one that matches their name? Would that still be secure, or no?") As an aside, most browsers don't meaningfully differentiate the display of DV and OV certificates to the user. Part of me thinks this is why EV certificates caught on rapidly, as companies would not have been so willing to spend money on EV certs if OV certs got better treatment by browsers. As individuals cannot obtain EV certificates (in any useful sense), this would also help to make OV certificates worthwhile for individuals to purchase. While there is the obvious enhancement of a "More Info" link which opens the Developer Tools panel, I've purposely omitted it: if a developer is looking for an overview of the connection ("Is this site now using the certificate I think it is? Or is it the one from the old CA which expires next week?" or "Did enabling TLS 1.2 work?"), this seems to be a happy medium of providing the most basic useful information for clueful people while making less-technical users feel confident and not overwhelming them. I, however, acknowledge that common practice is to jump from "simple view" to "OMG ALL THE THINGS!!!!1111". I just don't see the inherent value. I just went through a number of browsers to see what they do, after writing all of the above, and this method is most similar to Microsoft Edge's. So there's precedent in the general concept, though I expect Brave can make it look much better. 👍 Note that a large concern here is balancing "tell the average user enough that they can feel secure, but not enough to feel out of their league" versus "tell the users who need to know details enough that they can avoid opening the Developer Tools to find out basic information". If done right, it may demystify things enough to even help the average user feel more confident with security certificates and that can only be a good thing. One does not need to be initiated into the inner sanctum to worship at the altar, likewise much complexity can be eliminated as long as there is enough information left to have faith in the connection. Hopefully this helps illuminate the value I see here, and helps guide the Brave developers towards ending up with a solution which pleases everyone enough that no one complains in the future. 😃 |
|
I literally just ditched Chrome because of this exact problem. I'm pretty much all for adopting Brave but this is key to me. To the point where tonight when i get off work i'll literally be looking at the source to see if i can POC this myself. |
|
I believe @darkdh is working on this (or something similar). @darkdh, do you have an update? @hexploitable let us know if you need any help getting set up 😄 Any help is appreciated |
|
There is a WIP branch in muon |
|
And here is the screenshot on Mac |
|
dup #2611 |
|
@hexploitable agreed- I think this is it's own issue. Assigning @darkdh 😄 |
alexwykoff
changed the title
luixxiul
changed the title
Test plan
#7319 (comment)
From support
Similar to #791
cc: @diracdeltas
The text was updated successfully, but these errors were encountered: